Changing IP address to access public website ruled violation of US law

No Homers: Bypassing a user-specific ban to access an otherwise public website violates computer fraud law.

Fox Broadcasting Company

Changing your IP address or using proxy servers to access public websites you've been forbidden to visit is a violation of the Computer Fraud and Abuse Act (CFAA), a judge ruled Friday in a case involving Craigslist and 3taps.

The legal issue is similar to one in the Aaron Swartz case, in which there was debate over whether Swartz "had committed an unauthorized access under the CFAA when he changed his IP address to circumvent IP address blocking imposed by system administrators trying to keep Swartz off the network," law professor Orin Kerr wrote yesterday on the Volokh Conspiracy blog.

The ruling in Craigslist v. 3taps (PDF) is the first "directly addressing the issue," Kerr wrote. 3taps drew Craigslist's ire by aggregating and republishing its ads, so Craigslist sent a cease-and-desist letter telling the company not to do that. Craigslist also blocked IP addresses associated with 3taps' systems.

"3taps bypassed that technological barrier by using different IP addresses and proxy servers to conceal its identity and continued scraping data," wrote Judge Charles Breyer of US District Court in Northern California. Craigslist subsequently accused 3Taps of violating the CFAA, which "imposes criminal penalties on any person who, among other prohibitions, 'intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains... information from any protected computer.'”

3taps asked the court to "hold that an owner of a publicly accessible website has no power to revoke the authorization of a specific user to access that website" and argued that criminalizing its activity under the CFAA would create a slippery slope that could harm ordinary Internet users and allow Web companies to use anti-competitive practices.

Breyer denied the company's motion, saying 3taps did not prove that Craigslist's actions were illegal. Under the "plain language" of the CFAA, 3taps did not have authorization to visit Craigslist:

3taps’ argument starts out on firm statutory ground: “[B]y making the classified ads on its website publicly available, Craigslist has ‘authorized’ the world, including 3taps, to access craigslist.org.

But it does not answer the question here, which is whether Craigslist had the power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website. Craigslist certainly thought it had such authority and sought to exercise it through its cease-and-desist letter and IP blocking measures. 3taps says that Craigslist had no power to “de-authorize” anyone, but it cannot point to any language in the statute supporting that conclusion.

In fact, the statutory context and the Ninth Circuit’s interpretation of the phrase “without authorization” both cut against 3taps’ argument. One way to accomplish the result that 3taps urges—prohibiting computer owners from revoking “authorization” to access public websites—would be to restrict the kind of information protected by the CFAA. For example, Congress might have written § 1030(a)(2) to protect only “nonpublic” information. A neighboring provision in the CFAA includes that very modifier and prohibits access without authorization to “nonpublic” government computers. Another adjacent provision applies only to certain kinds of financial information. Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated the public vs. nonpublic distinction—but § 1030(a)(2)(c) contains no such restrictions or modifiers.

Breyer also tore down 3taps' slippery slope arguments. The average person does not use an anonymous proxy to bypass IP blocking enforced through a cease-and-desist letter addressed specifically to that person, the judge wrote:

Without any language in the statute to support its arguments, 3taps lets the cat out of the bag in the concluding section of its brief and urges consideration of “serious policy concerns” raised by straightforward application of the CFAA’s broad language. There, and sprinkled throughout its earlier, ostensibly text-based, arguments, 3taps posits outlandish scenarios where, for example, someone is criminally prosecuted for visiting a hypothetical website www.dontvisitme.com after a “friend”—apparently not a very good one—says the site has beautiful pictures but the homepage says that no one is allowed to click on the links to view the pictures. Needless to say, the Court’s decision [regarding 3taps' actions]... does not speak to whether the CFAA would apply to other sets of facts where an unsuspecting individual somehow stumbles on to an unauthorized site.

3taps also invites this Court to make all manner of legislative judgments turning on, for example, the “culture” of the Internet, the Court’s view of whether accessing a website is more like window shopping from a public sidewalk or actually entering a store and whether “a permission-based regime for public websites could implode the basic functioning of the internet itself.” 3taps opines that “the ‘socially prudent’ benefits of finding an implied license [to access public website data] far outweigh any social utility derived from allowing a website owner to selectively block access to publicly available information, including by competitors.”

Maybe, or maybe not—but it is certainly not for this Court to impose its views on those matters on unambiguous statutory language.

IP blocking hardly much of a “technological barrier”

Kerr, a professor of law at George Washington University and a former trial attorney in the Computer Crime and Intellectual Property Section at the US Department of Justice, wrote that Breyer's decision is consistent with his view that "circumventing some kind of technological barrier is required to violate the CFAA." However, Kerr is disappointed that Breyer takes it as a given that changing one's IP address or using a proxy counts as the circumvention of a technological barrier.

Whether Craigslist sent a cease-and-desist letter to 3taps is only necessary to prove 3taps' intent in accessing the website despite being told not to, Kerr wrote. The "circumvention of a technological barrier" question is a separate one that isn't addressed in the ruling in any depth, he wrote.

"The counterargument runs like this," Kerr wrote. "IP addresses are very easily changed, and most people use the Internet from different IP addresses every day. As a result, attempting to block someone based on an IP address doesn’t 'block' them except in a very temporary sense. It pauses them for a few seconds more than actually blocks them. It’s a technological barrier in the very short term but not in the long term. Is that enough to constitute a technological barrier?"

Kerr wrote by way of disclosure that "I have discussed this case with the defendant’s side but my analysis here remains my independent opinion."

The bill's text "deletes the vague phrase 'exceeds authorized access and clarifies the definition of 'access without authorization,' key fixes in a law that has for years been misinterpreted because of its vague definitions," according to the Electronic Frontier Foundation. "Without this change, the government could've prosecuted everyday Americans for violating low-level terms of service violations... In short, everyone would be a criminal, leaving it up to the government to decide when and where to bring down the hammer."

If IP address blocking is a legally binding way of banning a user, does that establish that an IP address must be considered "personally identifying information" for privacy policies and related purposes?

Probably the judge should not have touched the IP address at all. It's clear here that permission was not given to use the data, and they took steps that demonstrated they were aware of that. The decision should have hinged simply on whether terms of use are legally binding, which is a big enough issue on its own.

Changing your IP address or using proxy servers to access public websites you've been forbidden to visit is a violation of the Computer Fraud and Abuse Act (CFAA)

I don't have a problem with this, as the key is doing it to access materials you have been forbidden to visit. If it grows to becoming something more obviously it would need to be looked at again, but for this type of situation it seems fair.

If IP address blocking is a legally binding way of banning a user, does that establish that an IP address must be considered "personally identifying information" for privacy policies and related purposes?

Probably the judge should not have touched the IP address at all. It's clear here that permission was not given to use the data, and they took steps that demonstrated they were aware of that. The decision should have hinged simply on whether terms of use are legally binding, which is a big enough issue on its own.

Really? There's no shade of gray? A company trying to access information to make money that the owning website has every right to deny commerical use of is a little different than someone looking at web content they're not supposed to.

Case A completely denies your site web traffic and hits, and can even threaten your business model. Case B is just a person accessing your content which everyone else in the world is probably allowed to see.

I should not have read this after eating my lunch, I almost burfed it up after reading this...

So if I use a proxy i'm criminale now...... How Wonderfull.....

No, only if you use a proxy specifically to bypass a ban that a website has placed on you.

I think this ruling makes sense, really. The law is fairly clear, even if you don't agree with it, and the decision makes a distinction between changing your IP address just because and doing so to avoid a block.

In this specific case, it's probably a valid decision because companies do need to be able to enforce IP bans, like if a person or company was to start spamming Ars forums with garbage or some similar scenario.

What has me worried is, this case may now be used as persuasive precedent for getting around licensing issues with like Netflix or things of that nature. I don't think people need to be prosecuted under the CFAA for viewing Netflix in another country. For example, let's say I'm a valid Netflix subscriber in the USA and I visit Canada for the week. I bring my computer along to continue watching the new season of Arrested Development. Suddenly, the Canadian IP address Netflix registers isn't licensed to watch Arrested Development. So now I VPN into an American server. The federal government could now use this case as support that I should be prosecuted under the CFAA because I spoofed my IP address to watch some Arrested Development.

That's a scary scenario and that's probably the tip of the iceberg. This area is fraught with abuse and until there are some intelligent folks in the government and judiciary who understand how technology actually works and is used by the public, we're in for a long and arduous process of hoping that seemingly innocuous activities don't land us in federal prison.

This is ridiculous! It should be very simple, public access sections of a website are just that, public access. If you want to have things restricted, you need to get the user to agree to T&C's to get a login and then you ban that access. IP Address blacklisting is worthless now with so many access points. Would it be considered illegal circumvention if I get blocked at home and reboot my cable modem to pull a new lease? How about going down to Starbucks and getting online there. This is the slippery slope. Even worse when you think you could get IP Address banned from a site, only to have your ISP renew your IP lease that night and you get back online not knowing. What then? Did I break the law?

edit: Not to mention people behind NAT routers. My apartment building provides internet, we are all NAT'ed out so all have the same IP address. Great example how IP Blacklisting is useless today.

Only if you are using to access a resource that you have been banned from.

So households with multiple people will inevitably have new created felons because of this rulings.

May I ask how you reached that conclusion?

Sibling gets banned from website. Mom tells sibling to fix it so other sibling can still use website. Sibling changes IP address.

Felon.

Then no, households with multiple people will not have created felons. The beauty is in the details. As long as they don't change it/mask it/whatever it so the banned party can access it does not meet the criteria spelled out.

So am I also in trouble with this judge if I change my cell phone number because I am tired of sales calls?

How about if I move to a new home, am I guilty of attempting to evade distribution of the 3 useless phone books dropped on my doorstep annually?

Back on topic, does this mean that in the future, each person will be assigned a personal IP address which cannot be changed and acts as a national ID number?

To resolve the situation of technologically illiterate judges, I suggest the establishment of a special "Technology Court" staffed with judges required to possess a degree and a minimum of 5 years work experience in technology in addition to their legal education. This court could more effectively adjudicate legal issues that are at or ahead of current law, and could quickly rule on the effectiveness of legislation like the CFAA in order to quickly strike down provisions that led to the unfortunate prosecution of Aaron Swartz.

Edit: For all those down voting, the gist of my poorly-phrased comment above was intended to focus on the following points:

That the law should focus on 3Taps behavior of aggregating and republishing ads on Criaigslist, not 3Taps swapping IP addresses to avoid Craigslist's IP block.

Increased technological education in the judiciary would benefit all parties in these types of cases. While it is true that Patent Courts have been less than successful, however it is likely that these courts are more effective than regular courts when faced with similar facts.

Other countries (South Korea) have adopted policies that limit anonymous internet access, leading to a reduction in freedom, which in my opinion is not something that Americans should support.

The phone book and telephone number analogies were very weak, but were used to inject humor into a not very humorous situation...

This commenter has no idea if the judge is actually technologically illiterate and apologizes profusely if the finding was limited by the law and not colored by interpretation of the law based on lack of knowledge.

Fuck this country. I will use proxies as much as I want. Now all of the corporations (not to mention the government) is going to use this as an excuse to do whatever they want.

"Forbidden"...seriously, Comcast and other ISP's will place blocks on IP's that they deem either competitive content or something like piratebay or whatever, and if you are caught using a proxy to get around it, they will use that as an excuse to disconnect/charge more.

It WILL happen. Bookmark this thread, because this right here is the feather that broke the back of a true free internet.

Everything that we predicted in the early 90's is coming true. No, this is not tinfoil hat. It's happening. Everything that we said was going to happen is happening, government using the excuse of war/terrorism to bend our freedoms, nameless corporations running things. It's all happening just as predicted. All in the name of safety, all in the name of convenience, all in the name of special interests. What a joke we have become.

I have to admit I'm not sure where I sit on this one. From the headline my immediate reaction was WTF are they crazy? I can also see how this could be used as precedent and applied to a lot of other situations that could be bad. Based on this someone could violate the CFAA with out knowing it. IP gets block and website stops working. You don't know why. IP gets renewed and changes as can happen with DNS. Website starts working again. Boom. You've apparently violated the CFAA.

On the other hand in this specific case I don't know that the ruling is wrong. Company A sent Company B a letter saying you can't do this and to prevent it setup a simple block to keep them from doing it. Company B intentionally works around that block to keep doing it. Seems pretty straight forward to me.

Is this just another excuse to block us canadians from accessing your precious american television shows online with our dirty, maple-flavored bandwidth?

Except we're not subject to US laws

Actually, if you assert yourself into the US and break US laws (and a company or the US government cared enough to prosecute you), the US now has jurisdiction to ask Canada for extradition. Now, that's highly unlikely as it's more paperwork than it's actually worth. However, be certain, if you violate a US law, even if you're in another country, you can still be held accountable so long as there's an extradition treaty and the governments actually care to pursue the charge. Again, unlikely, but making blanket statements like that can get people into trouble.

Only if you are using to access a resource that you have been banned from.

So households with multiple people will inevitably have new created felons because of this rulings.

May I ask how you reached that conclusion?

Sibling gets banned from website. Mom tells sibling to fix it so other sibling can still use website. Sibling changes IP address.

Felon.

That hardly reaches the level of "will inevitably have new created felons". It's certainly possible this scenario would occur (just not inevitable) and problematic that it's a felony, but your original statement is still over-exaggerated and off-base.